Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

Order of enforcement

  1 min read

Order of precedence refers to the priority of individual policies within the policy builder (lowest value first, or from top to bottom as shown in the dashboard). You can modify the order of precedence by dragging and dropping individual policies in the dashboard.

In Gateway, the order of precedence follows the first match principle — once a site matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, we recommend putting the most specific policies and exceptions at the top of the list and the most general policies at the bottom.

For example, suppose you have a list of DNS policies:

PrecedenceSelectorOperatorValueAction
1Hostisexample.comBlock
2Hostistest.example.comAllow
3Domainmatches regex.\Block

When a user navigates to https://test.example.com, Gateway evaluates the policies in the following order:

  1. Policy #1 does not match test.example.com — move on to check Policy #2.
  2. Policy #2 matches, so DNS resolution is allowed.
  3. Policy #3 is not evaluated because there has already been an explicit match.